malwarewikiaorg-20200223-history
Barrotes
Virus.DOS.Barrotes or Barrotes (Bars) is a virus that run in MS-DOS, generally they infect COMMAND.COM when executed. It has 18 variants in 10 different versions, having different infection behaviors, activation days or payloads. Behavior This is a dangerous memory resident parasitic virus. When the virus is load into memory, it infects C:\COMMAND.COM file at first, and then it hooks INT 21h to infect files that are executed. Barrotes.840, 849 and 1194 These variants infect .COM files only. Barrotes.1127 This variant does not infect COMMAND.COM before staying memory resident, however it infects both .COM and .EXE files. This variant does not check whether a file has been infected and it would reinfect the file, making the size of file grows on further infection. Barrotes.1222, 1292, Tecla.1303, 1310, 1461, 1463 and 1874 These variants infect both .COM and .EXE files. Barrotes.Tecla.1303 infects COMMAND.COM in the same directory, which means C:\COMMAND.COM may not be infected if the virus is located in other directory. Barrotes.1310.b, j and k do not infect COMMAND.COM before staying memory resident. Barrotes.1310.d and e use i386 instructions to install itself into memory. Barrotes.1461 infects C:\DOS\KEYB.COM instead of C:\COMMAND.COM before loading into memory, and this variant would reinfect files. Payload When activated, the virus hooks INT 1Ch, displays several vertical bars, and a message at the up-left corner: Virus BARROTES por OSoft Translation (from Spanish): BARROTES Virus by OSoft Some variants may also destroy the MBR. Barrotes.840 and 849 These variants activate on January 5th, they display the message, draw grey vertical bars and destroy the MBR. Barrotes.1127, 1194, 1222 and 1292 These variants do not manifest themselves. Barrotes.1194 is found that it may activate on 1st of any month. Barrotes.1222 is found that it may activate on 25th of any month. Barrotes.Tecla.1303 This variant activates on September 23rd, but it is slightly different from the others, instead of drawing vertical bars, it changes the scancode of keys that are entered. Barrotes.1310 Barrotes.1310 has 7 variants, named A, B, D, E, I, J and K. Infect both .COM and .EXE files, and they might corrupt these files while infecting. Variants A, B and J activate on January 5th, variants D and E activate on July 20th, variant I activates on May 23th, and variant K activates on May 19th. Barrotes.1310.a and j This variant draws colorful vertical bars, and the variant A also destroys the MBR. Barrotes.1310.b This variant draws red vertical bars, disable the keyboard input and destroys the MBR. Barrotes.1310.d and e These variants draw colorful vertical bars and display the following message instead of the original one: Virus MIKELON por MSoft Barrotes.1310.i This variant draws colorful vertical bars and displays the following message instead of the original one: Araceli Escobar=ENANA+PUTA Barrotes.1310.k This variant draws colorful vertical bars and displays the following message instead of the original one: Virus SuperDepor vK&S And it destroys the MBR. Barrotes.1447 and 1463 These variants destroy the MBR on activation, it also display a message at the top of the screen, and scroll all the text below it to the left. ViRUS de G.D.R. ©PutoSO''f''T, NO HAY NADA COMO G.D.R. ¿¿ VERDAD ?? ;-) Translation (from Spanish): ViRUS by G.D.R. ©PutoSOFT, THERE IS NOTHING LIKE G.D.R. RIGHT ?? ;-) It is originally set to activate on 22nd day of every month (hex value 16h), but failed due to a programming error, it is set to activate on 34th day of every month (22h = 34 in decimal), so the virus would never activate. Barrotes.1461 This variant activates on March 3rd. It corrupts disk sectors, clears the screen, and displays the message: This is virus RETRETE! Don't attempt to recover your disk yourself! Barrotes.1874 This variant plays a tune. Variants The complete list of variants of the Barrotes family: *Virus.DOS.Barrotes.840 *Virus.DOS.Barrotes.849 *Virus.DOS.Barrotes.1127 *Virus.DOS.Barrotes.1194 *Virus.DOS.Barrotes.1222 *Virus.DOS.Barrotes.1292 *Virus.DOS.Barrotes.Tecla.1303 *Virus.DOS.Barrotes.1310 (A, B, D, E, I, J and K) *Virus.DOS.Barrotes.1447 *Virus.DOS.Barrotes.1461 *Virus.DOS.Barrotes.1463 *Virus.DOS.Barrotes.1874 Other details A hoax program Hoax.DOS.Barrotes written by BERTOV1, it draws orange bars on the screen when run, but it does nothing harmful to the system. Virus.DOS.Piolin.1176 (Piolin) has been identified as a variant of Barrotes by some antivirus. Barrotes.840, 849, 1194, 1292, 1310 (A, D, E and I), 1447 and 1463 contain the internal text string: c:\command.com Barrotes.1127 contains the internal text string: f:\login.exe Barrotes.Tecla.1303 contains the internal text strings: C:\COMMAND.COM Sta Tecla (MAD1) ST Barrotes.1461 contains the internal text string: c:\dos\keyb.com Barrotes.1874 contains the internal text string: c:\COMMAND.com Barrotes.1447 and 1463 contain the internal text string: loXX References Barrotes Description | F-Secure Labs Videos Category:DOS virus Category:Virus Category:DOS Category:MBR overwriting viruses